Archive for August 9th, 2017

Currently in Ukraine there is no requirement to supply any identification when purchasing a mobile SIM card. Vendors are on almost every street corner selling SIM cards for all leading mobile providers. Many Ukrainians have at least two SIM cards and/or two mobiles – and that in turn could mean four SIM cards (and four mobile numbers) in mobiles that accommodate two SIMs – sometimes even more.

Almost everybody has a mobile phone. Almost all mobile phones are billed via a pre-paid (pay as you rattle) system rather than by contract. Payment machines to pre-pay for mobile credit are everywhere, from small shops, to shopping malls, to machines simply on street corners, and of course e-payment options.

All of this means that a mobile phone service provider has very little/no idea as to the identity of 90% of their network users, let alone all the mobile numbers would relate to that individual, unless they are part of the approximately 10% (it’s slightly less) of mobile users on contract services.

In 2015, the Ukrainian government, via The State Service of Special Communication and Information Protection (a body within the SBU) under the guise of national security and “terrorism” (read those prone to act on behest of The Kremlin) attempted to pass legislation – which was, as usual, extremely poorly crafted – to force the “certification” of all mobile users. Its attempts failed.

Prior to that there was a similar attempt in 2012 which also failed.

There is now to be another attempt in 2017.

This time the draft legislation is framed around national security “in the face of cyber threats” (rather than “terrorism” per 2015).

By “cyber threats” there is a clarification – “the situation with the use of a variety of end equipment (iPhones, iPads, communicators, smartphones, mobile phones, etc.) needs attention against the backdrop of a growing range of telecommunications-based services, as the uncontrolled amount of end equipment in circulation contributes to the spread of “mobile fraud” and other cyber crimes.”

The proposed legislation obliges all providers to “collect personal data of all users without exception“. It further provides for 3 months to do so.

That appears to be beyond an ambitious timescale, to the point of unattainable to “collect personal data without exception” of users for what could well be up to 90 million SIM cards and/or devices tracked by mobile services.

When it is collected then there is the issue of multiple SIM card/device assignments to such “personal data”.

Further it is also currently unclear what exactly constitutes sufficient “personal data” for providers to be in compliance, or how that “personal data” is to be collected – and verified.

A reader (and an end user) can only hope that when flush with all the “personal data“, the mobile providers are not then themselves subjected to the “cyber threats” and “other cyber crimes” that this legislation purports to mitigate against when gathering it.

There is also a requirement to complete a register of IMEI codes that currently doesn’t exist.

The draft law is really something of a shambles, and the proposed 3 month time frame for adherence by providers, that to remain in compliance would presumably be forced to cut off services to all those whose “personal data” had either not been collected, or that had not been entered into whatever database, or which had not had all cross assignments to accompanying multiple SIMs and devices allocated.

There is nothing necessarily wrong with the policy, but the draft law is simply poor as currently written, and the effective implementation date is quite simply not achievable.